When it finds files that match one of these types, it will encrypt the file using the public encryption key and add the full path to the file and the filename as a value under the HKEY_CURRENT_USER\Software\Crypto Locker_0388\Files Registry key.

The command that is run when you click on an executable is: [HKEY_CLASSES_ROOT\.exe] @="Myjiaabodehhltdr" "Content Type"="application/x-msdownload" [HKEY_CLASSES_ROOT\.exe\Persistent Handler] @="" [HKEY_CLASSES_ROOT\Myjiaabodehhltdr] [HKEY_CLASSES_ROOT\Myjiaabodehhltdr\Default Icon] @="%1" [HKEY_CLASSES_ROOT\Myjiaabodehhltdr\shell] [HKEY_CLASSES_ROOT\Myjiaabodehhltdr\shell\open] [HKEY_CLASSES_ROOT\Myjiaabodehhltdr\shell\open\command] @="\"C:\\Users\\User\\App Data\\Local\\Rlatviomorjzlefba.exe\" - \"%1\" %*" Once the infection has successfully deleted your shadow volume copies, it will restore your exe extensions back to the Windows defaults.

The infection will then attempt to find a live Command & Control server by connecting to domains generated by a Domain Generation Algorithm.

For more information on Torrent Locker, please visit our Torrent Locker support topic.

Once at the topic, and if you are a member, you can subscribe to it in order to get notifications when someone adds more information to the topic.

This ransom must be paid using Money Pak vouchers or Bitcoins.

Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

Info: There is a very active Crypto Locker support topic, which contains discussion and the experiences of a variety of IT consultants, end users, and companies who have been affected by Crypto Locker.